Disabling ownership via cluster version overrides prevents upgrades. Please remove overrides before continuing.The OKD 4 installation program provides only a low number of configuration options before installation. Configuring most OKD framework components, including the cluster monitoring stack, happens post-installation.
This section explains what configuration is supported, shows how to configure the monitoring stack, and demonstrates several common configuration scenarios.
The monitoring stack imposes additional resource requirements. Consult the computing resources recommendations in Scaling the Cluster Monitoring Operator and verify that you have sufficient resources.
The supported way of configuring OKD Monitoring is by configuring it using the options described in this document. Do not use other configurations, as they are unsupported. Configuration paradigms might change across Prometheus releases, and such cases can only be handled gracefully if all configuration possibilities are controlled. If you use configurations other than those described in this section, your changes will disappear because the cluster-monitoring-operator reconciles any differences. The Operator resets everything to the defined state by default and by design.
The following modifications are explicitly not supported:
Creating additional ServiceMonitor, PodMonitor, and PrometheusRule objects in the openshift-*, and kube-* projects.
Modifying any resources or objects deployed in the openshift-monitoring or openshift-user-workload-monitoring projects. The resources created by the OKD monitoring stack are not meant to be used by any other resources, as there are no guarantees about their backward compatibility.
|
The Alertmanager configuration is deployed as a secret resource in the |
Modifying resources of the stack. The OKD monitoring stack ensures its resources are always in the state it expects them to be. If they are modified, the stack will reset them.
Deploying user-defined workloads to openshift-*, and kube-* projects. These projects are reserved for Red Hat provided components and they should not be used for user-defined workloads.
Modifying the monitoring stack Grafana instance.
Installing custom Prometheus instances on OKD.
Enabling symptom based monitoring by using the Probe custom resource definition (CRD) in Prometheus Operator.
Modifying Alertmanager configurations by using the AlertmanagerConfig CRD in Prometheus Operator.
|
Backward compatibility for metrics, recording rules, or alerting rules is not guaranteed. |
Monitoring Operators ensure that OKD monitoring resources function as designed and tested. If Cluster Version Operator (CVO) control of an Operator is overridden, the Operator does not respond to configuration changes, reconcile the intended state of cluster objects, or receive updates.
While overriding CVO control for an Operator can be helpful during debugging, this is unsupported and the cluster administrator assumes full control of the individual component configurations and upgrades.
The spec.overrides parameter can be added to the configuration for the CVO to allow administrators to provide a list of overrides to the behavior of the CVO for a component. Setting the spec.overrides[].unmanaged parameter to true for a component blocks cluster upgrades and alerts the administrator after a CVO override has been set:
Disabling ownership via cluster version overrides prevents upgrades. Please remove overrides before continuing.|
Setting a CVO override puts the entire cluster in an unsupported state and prevents the monitoring stack from being reconciled to its intended state. This impacts the reliability features built into Operators and prevents updates from being received. Reported issues must be reproduced after removing any overrides for support to proceed. |
You can configure the monitoring stack by creating and updating monitoring config maps.
To configure core OKD monitoring components, you must create the cluster-monitoring-config ConfigMap object in the openshift-monitoring project.
|
When you save your changes to the |
You have access to the cluster as a user with the cluster-admin role.
You have installed the OpenShift CLI (oc).
Check whether the cluster-monitoring-config ConfigMap object exists:
$ oc -n openshift-monitoring get configmap cluster-monitoring-configIf the ConfigMap object does not exist:
Create the following YAML manifest. In this example the file is called cluster-monitoring-config.yaml:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |Apply the configuration to create the ConfigMap object:
$ oc apply -f cluster-monitoring-config.yamlTo configure the components that monitor user-defined projects, you must create the user-workload-monitoring-config ConfigMap object in the openshift-user-workload-monitoring project.
|
When you save your changes to the |
You have access to the cluster as a user with the cluster-admin role.
You have installed the OpenShift CLI (oc).
Check whether the user-workload-monitoring-config ConfigMap object exists:
$ oc -n openshift-user-workload-monitoring get configmap user-workload-monitoring-configIf the user-workload-monitoring-config ConfigMap object does not exist:
Create the following YAML manifest. In this example the file is called user-workload-monitoring-config.yaml:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |Apply the configuration to create the ConfigMap object:
$ oc apply -f user-workload-monitoring-config.yaml|
Configurations applied to the |
In OKD 4, you can configure the monitoring stack using the cluster-monitoring-config or user-workload-monitoring-config ConfigMap objects. Config maps configure the Cluster Monitoring Operator (CMO), which in turn configures the components of the stack.
If you are configuring core OKD monitoring components:
You have access to the cluster as a user with the cluster-admin role.
You have created the cluster-monitoring-config ConfigMap object.
If you are configuring components that monitor user-defined projects:
You have access to the cluster as a user with the cluster-admin role, or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.
You have created the user-workload-monitoring-config ConfigMap object.
You have installed the OpenShift CLI (oc).
Edit the ConfigMap object.
To configure core OKD monitoring components:
Edit the cluster-monitoring-config ConfigMap object in the openshift-monitoring project:
$ oc -n openshift-monitoring edit configmap cluster-monitoring-configAdd your configuration under data/config.yaml as a key-value pair <component_name>: <component_configuration>:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
<component>:
<configuration_for_the_component>Substitute <component> and <configuration_for_the_component> accordingly.
The following example ConfigMap object configures a persistent volume claim (PVC) for Prometheus. This relates to the Prometheus instance that monitors core OKD components only:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
prometheusK8s: (1)
volumeClaimTemplate:
spec:
storageClassName: fast
volumeMode: Filesystem
resources:
requests:
storage: 40Gi| 1 | Defines the Prometheus component and the subsequent lines define its configuration. |
To configure components that monitor user-defined projects:
Edit the user-workload-monitoring-config ConfigMap object in the openshift-user-workload-monitoring project:
$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-configAdd your configuration under data/config.yaml as a key-value pair <component_name>: <component_configuration>:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
<component>:
<configuration_for_the_component>Substitute <component> and <configuration_for_the_component> accordingly.
The following example ConfigMap object configures a data retention period and minimum container resource requests for Prometheus. This relates to the Prometheus instance that monitors user-defined projects only:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
prometheus: (1)
retention: 24h (2)
resources:
requests:
cpu: 200m (3)
memory: 2Gi (4)| 1 | Defines the Prometheus component and the subsequent lines define its configuration. |
| 2 | Configures a twenty-four hour data retention period for the Prometheus instance that monitors user-defined projects. |
| 3 | Defines a minimum resource request of 200 millicores for the Prometheus container. |
| 4 | Defines a minimum pod resource request of 2 GiB of memory for the Prometheus container. |
|
The Prometheus config map component is called |
Save the file to apply the changes to the ConfigMap object. The pods affected by the new configuration are restarted automatically.
|
Configurations applied to the |
|
When changes are saved to a monitoring config map, the pods and other resources in the related project might be redeployed. The running monitoring processes in that project might also be restarted. |
See Preparing to configure the monitoring stack for steps to create monitoring config maps
This table shows the monitoring components you can configure and the keys used to specify the components in the cluster-monitoring-config and user-workload-monitoring-config ConfigMap objects:
| Component | cluster-monitoring-config config map key | user-workload-monitoring-config config map key |
|---|---|---|
Prometheus Operator |
|
|
Prometheus |
|
|
Alertmanager |
|
|
kube-state-metrics |
|
|
openshift-state-metrics |
|
|
Grafana |
|
|
Telemeter Client |
|
|
Prometheus Adapter |
|
|
Thanos Querier |
|
|
Thanos Ruler |
|
|
The Prometheus key is called |
You can move any of the monitoring stack components to specific nodes.
If you are configuring core OKD monitoring components:
You have access to the cluster as a user with the cluster-admin role.
You have created the cluster-monitoring-config ConfigMap object.
If you are configuring components that monitor user-defined projects:
You have access to the cluster as a user with the cluster-admin role, or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.
You have created the user-workload-monitoring-config ConfigMap object.
You have installed the OpenShift CLI (oc).
Edit the ConfigMap object:
To move a component that monitors core OKD projects:
Edit the cluster-monitoring-config ConfigMap object in the openshift-monitoring project:
$ oc -n openshift-monitoring edit configmap cluster-monitoring-configSpecify the nodeSelector constraint for the component under data/config.yaml:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
<component>:
nodeSelector:
<node_key>: <node_value>
<node_key>: <node_value>
<...>Substitute <component> accordingly and substitute <node_key>: <node_value> with the map of key-value pairs that specifies a group of destination nodes. Often, only a single key-value pair is used.
The component can only run on nodes that have each of the specified key-value pairs as labels. The nodes can have additional labels as well.
|
Many of the monitoring components are deployed by using multiple pods across different nodes in the cluster to maintain high availability. When moving monitoring components to labeled nodes, ensure that enough matching nodes are available to maintain resilience for the component. If only one label is specified, ensure that enough nodes contain that label to distribute all of the pods for the component across separate nodes. Alternatively, you can specify multiple labels each relating to individual nodes. |
|
If monitoring components remain in a |
For example, to move monitoring components for core OKD projects to specific nodes that are labeled nodename: controlplane1, nodename: worker1, nodename: worker2, and nodename: worker2, use:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
prometheusOperator:
nodeSelector:
nodename: controlplane1
prometheusK8s:
nodeSelector:
nodename: worker1
nodename: worker2
alertmanagerMain:
nodeSelector:
nodename: worker1
nodename: worker2
kubeStateMetrics:
nodeSelector:
nodename: worker1
grafana:
nodeSelector:
nodename: worker1
telemeterClient:
nodeSelector:
nodename: worker1
k8sPrometheusAdapter:
nodeSelector:
nodename: worker1
nodename: worker2
openshiftStateMetrics:
nodeSelector:
nodename: worker1
thanosQuerier:
nodeSelector:
nodename: worker1
nodename: worker2To move a component that monitors user-defined projects:
Edit the user-workload-monitoring-config ConfigMap object in the openshift-user-workload-monitoring project:
$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-configSpecify the nodeSelector constraint for the component under data/config.yaml:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
<component>:
nodeSelector:
<node_key>: <node_value>
<node_key>: <node_value>
<...>Substitute <component> accordingly and substitute <node_key>: <node_value> with the map of key-value pairs that specifies the destination nodes. Often, only a single key-value pair is used.
The component can only run on nodes that have each of the specified key-value pairs as labels. The nodes can have additional labels as well.
|
Many of the monitoring components are deployed by using multiple pods across different nodes in the cluster to maintain high availability. When moving monitoring components to labeled nodes, ensure that enough matching nodes are available to maintain resilience for the component. If only one label is specified, ensure that enough nodes contain that label to distribute all of the pods for the component across separate nodes. Alternatively, you can specify multiple labels each relating to individual nodes. |
|
If monitoring components remain in a |
For example, to move monitoring components for user-defined projects to specific worker nodes labeled nodename: worker1, nodename: worker2, and nodename: worker2, use:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
prometheusOperator:
nodeSelector:
nodename: worker1
prometheus:
nodeSelector:
nodename: worker1
nodename: worker2
thanosRuler:
nodeSelector:
nodename: worker1
nodename: worker2Save the file to apply the changes. The components affected by the new configuration are moved to the new nodes automatically.
|
Configurations applied to the |
|
When changes are saved to a monitoring config map, the pods and other resources in the related project might be redeployed. The running monitoring processes in that project might also be restarted. |
See Preparing to configure the monitoring stack for steps to create monitoring config maps
See the Kubernetes documentation for details on the nodeSelector constraint
You can assign tolerations to any of the monitoring stack components to enable moving them to tainted nodes.
If you are configuring core OKD monitoring components:
You have access to the cluster as a user with the cluster-admin role.
You have created the cluster-monitoring-config ConfigMap object.
If you are configuring components that monitor user-defined projects:
You have access to the cluster as a user with the cluster-admin role, or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.
You have created the user-workload-monitoring-config ConfigMap object.
You have installed the OpenShift CLI (oc).
Edit the ConfigMap object:
To assign tolerations to a component that monitors core OKD projects:
Edit the cluster-monitoring-config ConfigMap object in the openshift-monitoring project:
$ oc -n openshift-monitoring edit configmap cluster-monitoring-configSpecify tolerations for the component:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
<component>:
tolerations:
<toleration_specification>Substitute <component> and <toleration_specification> accordingly.
For example, oc adm taint nodes node1 key1=value1:NoSchedule adds a taint to node1 with the key key1 and the value value1. This prevents monitoring components from deploying pods on node1 unless a toleration is configured for that taint. The following example configures the alertmanagerMain component to tolerate the example taint:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
alertmanagerMain:
tolerations:
- key: "key1"
operator: "Equal"
value: "value1"
effect: "NoSchedule"To assign tolerations to a component that monitors user-defined projects:
Edit the user-workload-monitoring-config ConfigMap object in the openshift-user-workload-monitoring project:
$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-configSpecify tolerations for the component:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
<component>:
tolerations:
<toleration_specification>Substitute <component> and <toleration_specification> accordingly.
For example, oc adm taint nodes node1 key1=value1:NoSchedule adds a taint to node1 with the key key1 and the value value1. This prevents monitoring components from deploying pods on node1 unless a toleration is configured for that taint. The following example configures the thanosRuler component to tolerate the example taint:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
thanosRuler:
tolerations:
- key: "key1"
operator: "Equal"
value: "value1"
effect: "NoSchedule"Save the file to apply the changes. The new component placement configuration is applied automatically.
|
Configurations applied to the |
|
When changes are saved to a monitoring config map, the pods and other resources in the related project might be redeployed. The running monitoring processes in that project might also be restarted. |
See Preparing to configure the monitoring stack for steps to create monitoring config maps
See the OKD documentation on taints and tolerations
See the Kubernetes documentation on taints and tolerations
Running cluster monitoring with persistent storage means that your metrics are stored to a persistent volume (PV) and can survive a pod being restarted or recreated. This is ideal if you require your metrics or alerting data to be guarded from data loss. For production environments, it is highly recommended to configure persistent storage. Because of the high IO demands, it is advantageous to use local storage.
|
If you are running cluster monitoring with an attached PVC for Prometheus, you might experience OOM kills during cluster upgrade. When persistent storage is in use for Prometheus, Prometheus memory usage doubles during cluster upgrade and for several hours after upgrade is complete. To avoid the OOM kill issue, allow worker nodes with double the size of memory that was available prior to the upgrade. For example, if you are running monitoring on the minimum recommended nodes, which is 2 cores with 8 GB of RAM, increase memory to 16 GB. For more information, see BZ#1925061. |
Dedicate sufficient local persistent storage to ensure that the disk does not become full. How much storage you need depends on the number of pods. For information on system requirements for persistent storage, see Prometheus database storage requirements.
Make sure you have a persistent volume (PV) ready to be claimed by the persistent volume claim (PVC), one PV for each replica. Because Prometheus has two replicas and Alertmanager has three replicas, you need five PVs to support the entire monitoring stack. The PVs should be available from the Local Storage Operator. This does not apply if you enable dynamically provisioned storage.
Use the block type of storage.
Configure local persistent storage.
|
If you use a local volume for persistent storage, do not use a raw block volume, which is described with |
For monitoring components to use a persistent volume (PV), you must configure a persistent volume claim (PVC).
If you are configuring core OKD monitoring components:
You have access to the cluster as a user with the cluster-admin role.
You have created the cluster-monitoring-config ConfigMap object.
If you are configuring components that monitor user-defined projects:
You have access to the cluster as a user with the cluster-admin role, or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.
You have created the user-workload-monitoring-config ConfigMap object.
You have installed the OpenShift CLI (oc).
Edit the ConfigMap object:
To configure a PVC for a component that monitors core OKD projects:
Edit the cluster-monitoring-config ConfigMap object in the openshift-monitoring project:
$ oc -n openshift-monitoring edit configmap cluster-monitoring-configAdd your PVC configuration for the component under data/config.yaml:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
<component>:
volumeClaimTemplate:
spec:
storageClassName: <storage_class>
resources:
requests:
storage: <amount_of_storage>See the Kubernetes documentation on PersistentVolumeClaims for information on how to specify volumeClaimTemplate.
The following example configures a PVC that claims local persistent storage for the Prometheus instance that monitors core OKD components:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
prometheusK8s:
volumeClaimTemplate:
spec:
storageClassName: local-storage
resources:
requests:
storage: 40GiIn the above example, the storage class created by the Local Storage Operator is called local-storage.
The following example configures a PVC that claims local persistent storage for Alertmanager:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
alertmanagerMain:
volumeClaimTemplate:
spec:
storageClassName: local-storage
resources:
requests:
storage: 10GiTo configure a PVC for a component that monitors user-defined projects:
Edit the user-workload-monitoring-config ConfigMap object in the openshift-user-workload-monitoring project:
$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-configAdd your PVC configuration for the component under data/config.yaml:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
<component>:
volumeClaimTemplate:
spec:
storageClassName: <storage_class>
resources:
requests:
storage: <amount_of_storage>See the Kubernetes documentation on PersistentVolumeClaims for information on how to specify volumeClaimTemplate.
The following example configures a PVC that claims local persistent storage for the Prometheus instance that monitors user-defined projects:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
prometheus:
volumeClaimTemplate:
spec:
storageClassName: local-storage
resources:
requests:
storage: 40GiIn the above example, the storage class created by the Local Storage Operator is called local-storage.
The following example configures a PVC that claims local persistent storage for Thanos Ruler:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
thanosRuler:
volumeClaimTemplate:
spec:
storageClassName: local-storage
resources:
requests:
storage: 10Gi|
Storage requirements for the |
Save the file to apply the changes. The pods affected by the new configuration are restarted automatically and the new storage configuration is applied.
|
Configurations applied to the |
|
When changes are saved to a monitoring config map, the pods and other resources in the related project might be redeployed. The running monitoring processes in that project might also be restarted. |
By default, the OKD monitoring stack configures the retention time for Prometheus data to be 15 days. You can modify the retention time to change how soon the data is deleted.
If you are configuring core OKD monitoring components:
You have access to the cluster as a user with the cluster-admin role.
You have created the cluster-monitoring-config ConfigMap object.
If you are configuring components that monitor user-defined projects:
You have access to the cluster as a user with the cluster-admin role, or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.
You have created the user-workload-monitoring-config ConfigMap object.
You have installed the OpenShift CLI (oc).
Edit the ConfigMap object:
To modify the retention time for the Prometheus instance that monitors core OKD projects:
Edit the cluster-monitoring-config ConfigMap object in the openshift-monitoring project:
$ oc -n openshift-monitoring edit configmap cluster-monitoring-configAdd your retention time configuration under data/config.yaml:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
prometheusK8s:
retention: <time_specification>Substitute <time_specification> with a number directly followed by ms (milliseconds), s (seconds), m (minutes), h (hours), d (days), w (weeks), or y (years).
The following example sets the retention time to 24 hours for the Prometheus instance that monitors core OKD components:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
prometheusK8s:
retention: 24hTo modify the retention time for the Prometheus instance that monitors user-defined projects:
Edit the user-workload-monitoring-config ConfigMap object in the openshift-user-workload-monitoring project:
$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-configAdd your retention time configuration under data/config.yaml:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
prometheus:
retention: <time_specification>Substitute <time_specification> with a number directly followed by ms (milliseconds), s (seconds), m (minutes), h (hours), d (days), w (weeks), or y (years).
The following example sets the retention time to 24 hours for the Prometheus instance that monitors user-defined projects:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
prometheus:
retention: 24hSave the file to apply the changes. The pods affected by the new configuration are restarted automatically.
|
Configurations applied to the |
|
When changes are saved to a monitoring config map, the pods and other resources in the related project might be redeployed. The running monitoring processes in that project might also be restarted. |
See Preparing to configure the monitoring stack for steps to create monitoring config maps
You can configure remote write storage to enable Prometheus to send ingested metrics to remote systems for long-term storage. Doing so has no impact on how or for how long Prometheus stores metrics.
If you are configuring core OKD monitoring components:
You have access to the cluster as a user with the cluster-admin role.
You have created the cluster-monitoring-config ConfigMap object.
If you are configuring components that monitor user-defined projects:
You have access to the cluster as a user with the cluster-admin role or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.
You have created the user-workload-monitoring-config ConfigMap object.
You have installed the OpenShift CLI (oc).
You have set up a remote write compatible endpoint (such as Thanos) and know the endpoint URL. See the Prometheus remote endpoints and storage documentation for information about endpoints that are compatible with the remote write feature.
You have set up authentication credentials for the remote write endpoint.
|
To reduce security risks, avoid sending metrics to an endpoint via unencrypted HTTP or without using authentication. |
Edit the cluster-monitoring-config ConfigMap object in the openshift-monitoring project:
$ oc -n openshift-monitoring edit configmap cluster-monitoring-configAdd a remoteWrite: section under data/config.yaml/prometheusK8s.
Add an endpoint URL and authentication credentials in this section:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
prometheusK8s:
remoteWrite:
- url: "https://remote-write.endpoint"
<endpoint_authentication_credentials>For endpoint_authentication_credentials substitute the credentials for the endpoint.
Currently supported authentication methods are basic authentication (basicAuth) and client TLS (tlsConfig) authentication.
The following example configures basic authentication:
basicAuth:
username:
<usernameSecret>
password:
<passwordSecret>Substitute <usernameSecret> and <passwordSecret> accordingly.
The following sample shows basic authentication configured with remoteWriteAuth for the name values and user and password for the key values. These values contain the endpoint authentication credentials:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
prometheusK8s:
remoteWrite:
- url: "https://remote-write.endpoint"
basicAuth:
username:
name: remoteWriteAuth
key: user
password:
name: remoteWriteAuth
key: passwordThe following example configures client TLS authentication:
tlsConfig:
ca:
<caSecret>
cert:
<certSecret>
keySecret:
<keySecret>Substitute <caSecret>, <certSecret>, and <keySecret> accordingly.
The following sample shows a TLS authentication configuration using selfsigned-mtls-bundle for the name values and ca.crt for the ca key value, client.crt for the cert key value, and client.key for the keySecret key value:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
prometheusK8s:
remoteWrite:
- url: "https://remote-write.endpoint"
tlsConfig:
ca:
secret:
name: selfsigned-mtls-bundle
key: ca.crt
cert:
secret:
name: selfsigned-mtls-bundle
key: client.crt
keySecret:
name: selfsigned-mtls-bundle
key: client.keyAdd write relabel configuration values after the authentication credentials:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
prometheusK8s:
remoteWrite:
- url: "https://remote-write.endpoint"
<endpoint_authentication_credentials>
<write_relabel_configs>For <write_relabel_configs> substitute a list of write relabel configurations for metrics that you want to send to the remote endpoint.
The following sample shows how to forward a single metric called my_metric:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
prometheusK8s:
remoteWrite:
- url: "https://remote-write.endpoint"
writeRelabelConfigs:
- source_labels: [__name__]
regex: 'my_metric'
action: keepSee the Prometheus relabel_config documentation for information about write relabel configuration options.
If required, configure remote write for the Prometheus instance that monitors user-defined projects by changing the name and namespace metadata values as follows:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
prometheus:
remoteWrite:
- url: "https://remote-write.endpoint"
<endpoint_authentication_credentials>
<write_relabel_configs>|
The Prometheus config map component is called |
Save the file to apply the changes to the ConfigMap object.
The pods affected by the new configuration restart automatically.
|
Configurations applied to the |
|
Saving changes to a monitoring |
See Setting up remote write compatible endpoints for steps to create a remote write compatible endpoint (such as Thanos).
See Tuning remote write settings for information about how to optimize remote write settings for different use cases.
For information about additional optional fields, please refer to the API documentation.
Developers can create labels to define attributes for metrics in the form of key-value pairs. The number of potential key-value pairs corresponds to the number of possible values for an attribute. An attribute that has an unlimited number of potential values is called an unbound attribute. For example, a customer_id attribute is unbound because it has an infinite number of possible values.
Every assigned key-value pair has a unique time series. The use of many unbound attributes in labels can result in an exponential increase in the number of time series created. This can impact Prometheus performance and can consume a lot of disk space.
Cluster administrators can use the following measures to control the impact of unbound metrics attributes in user-defined projects:
Limit the number of samples that can be accepted per target scrape in user-defined projects
Create alerts that fire when a scrape sample threshold is reached or when the target cannot be scraped
|
Limiting scrape samples can help prevent the issues caused by adding many unbound attributes to labels. Developers can also prevent the underlying cause by limiting the number of unbound attributes that they define for metrics. Using attributes that are bound to a limited set of possible values reduces the number of potential key-value pair combinations. |
You can limit the number of samples that can be accepted per target scrape in user-defined projects.
|
If you set a sample limit, no further sample data is ingested for that target scrape after the limit is reached. |
You have access to the cluster as a user with the cluster-admin role, or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.
You have created the user-workload-monitoring-config ConfigMap object.
You have installed the OpenShift CLI (oc).
Edit the user-workload-monitoring-config ConfigMap object in the openshift-user-workload-monitoring project:
$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-configAdd the enforcedSampleLimit configuration to data/config.yaml to limit the number of samples that can be accepted per target scrape in user-defined projects:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
prometheus:
enforcedSampleLimit: 50000 (1)| 1 | A value is required if this parameter is specified. This enforcedSampleLimit example limits the number of samples that can be accepted per target scrape in user-defined projects to 50,000. |
Save the file to apply the changes. The limit is applied automatically.
|
Configurations applied to the |
|
When changes are saved to the |
You can create alerts that notify you when:
The target cannot be scraped or is not available for the specified for duration
A scrape sample threshold is reached or is exceeded for the specified for duration
You have access to the cluster as a user with the cluster-admin role, or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.
You have enabled monitoring for user-defined projects.
You have created the user-workload-monitoring-config ConfigMap object.
You have limited the number of samples that can be accepted per target scrape in user-defined projects, by using enforcedSampleLimit.
You have installed the OpenShift CLI (oc).
Create a YAML file with alerts that inform you when the targets are down and when the enforced sample limit is approaching. The file in this example is called monitoring-stack-alerts.yaml:
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
labels:
prometheus: k8s
role: alert-rules
name: monitoring-stack-alerts (1)
namespace: ns1 (2)
spec:
groups:
- name: general.rules
rules:
- alert: TargetDown (3)
annotations:
message: '{{ printf "%.4g" $value }}% of the {{ $labels.job }}/{{ $labels.service
}} targets in {{ $labels.namespace }} namespace are down.' (4)
expr: 100 * (count(up == 0) BY (job, namespace, service) / count(up) BY (job,
namespace, service)) > 10
for: 10m (5)
labels:
severity: warning (6)
- alert: ApproachingEnforcedSamplesLimit (7)
annotations:
message: '{{ $labels.container }} container of the {{ $labels.pod }} pod in the {{ $labels.namespace }} namespace consumes {{ $value | humanizePercentage }} of the samples limit budget.' (8)
expr: scrape_samples_scraped/50000 > 0.8 (9)
for: 10m (10)
labels:
severity: warning (11)| 1 | Defines the name of the alerting rule. |
| 2 | Specifies the user-defined project where the alerting rule will be deployed. |
| 3 | The TargetDown alert will fire if the target cannot be scraped or is not available for the for duration. |
| 4 | The message that will be output when the TargetDown alert fires. |
| 5 | The conditions for the TargetDown alert must be true for this duration before the alert is fired. |
| 6 | Defines the severity for the TargetDown alert. |
| 7 | The ApproachingEnforcedSamplesLimit alert will fire when the defined scrape sample threshold is reached or exceeded for the specified for duration. |
| 8 | The message that will be output when the ApproachingEnforcedSamplesLimit alert fires. |
| 9 | The threshold for the ApproachingEnforcedSamplesLimit alert. In this example the alert will fire when the number of samples per target scrape has exceeded 80% of the enforced sample limit of 50000. The for duration must also have passed before the alert will fire. The <number> in the expression scrape_samples_scraped/<number> > <threshold> must match the enforcedSampleLimit value defined in the user-workload-monitoring-config ConfigMap object. |
| 10 | The conditions for the ApproachingEnforcedSamplesLimit alert must be true for this duration before the alert is fired. |
| 11 | Defines the severity for the ApproachingEnforcedSamplesLimit alert. |
Apply the configuration to the user-defined project:
$ oc apply -f monitoring-stack-alerts.yamlSee Determining why Prometheus is consuming a lot of disk space for steps to query which metrics have the highest number of scrape samples
The OKD monitoring stack includes a local Alertmanager instance that routes alerts from Prometheus.
You can add external Alertmanager instances by configuring the cluster-monitoring-config config map in either the openshift-monitoring project or the user-workload-monitoring-config project.
If you add the same external Alertmanager configuration for multiple clusters and disable the local instance for each cluster, you can then manage alert routing for multiple clusters by using a single external Alertmanager instance.
You have installed the OpenShift CLI (oc).
If you are configuring core OKD monitoring components in the openshift-monitoring project:
You have access to the cluster as a user with the cluster-admin role.
You have created the cluster-monitoring-config config map.
If you are configuring components that monitor user-defined projects:
You have access to the cluster as a user with the cluster-admin role, or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.
You have created the user-workload-monitoring-config config map.
Edit the ConfigMap object.
To configure additional Alertmanagers for routing alerts from core OKD projects:
Edit the cluster-monitoring-config config map in the openshift-monitoring project:
$ oc -n openshift-monitoring edit configmap cluster-monitoring-configAdd an additionalAlertmanagerConfigs: section under data/config.yaml/prometheusK8s.
Add the configuration details for additional Alertmanagers in this section:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
prometheusK8s:
additionalAlertmanagerConfigs:
- <alertmanager_specification>For <alertmanager_specification>, substitute authentication and other configuration details for additional Alertmanager instances.
Currently supported authentication methods are bearer token (bearerToken) and client TLS (tlsConfig).
The following sample config map configures an additional Alertmanager using a bearer token with client TLS authentication:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
prometheusK8s:
additionalAlertmanagerConfigs:
- scheme: https
pathPrefix: /
timeout: "30s"
apiVersion: v1
bearerToken:
name: alertmanager-bearer-token
key: token
tlsConfig:
key:
name: alertmanager-tls
key: tls.key
cert:
name: alertmanager-tls
key: tls.crt
ca:
name: alertmanager-tls
key: tls.ca
staticConfigs:
- external-alertmanager1-remote.com
- external-alertmanager1-remote2.comTo configure additional Alertmanager instances for routing alerts from user-defined projects:
Edit the user-workload-monitoring-config config map in the openshift-user-workload-monitoring project:
$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-configAdd a <component>/additionalAlertmanagerConfigs: section under data/config.yaml/.
Add the configuration details for additional Alertmanagers in this section:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
<component>:
additionalAlertmanagerConfigs:
- <alertmanager_specification>For <component>, substitute one of two supported external Alertmanager components: prometheus or thanosRuler.
For <alertmanager_specification>, substitute authentication and other configuration details for additional Alertmanager instances.
Currently supported authentication methods are bearer token (bearerToken) and client TLS (tlsConfig).
The following sample config map configures an additional Alertmanager using Thanos Ruler with a bearer token and client TLS authentication:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
thanosRuler:
additionalAlertmanagerConfigs:
- scheme: https
pathPrefix: /
timeout: "30s"
apiVersion: v1
bearerToken:
name: alertmanager-bearer-token
key: token
tlsConfig:
key:
name: alertmanager-tls
key: tls.key
cert:
name: alertmanager-tls
key: tls.crt
ca:
name: alertmanager-tls
key: tls.ca
staticConfigs:
- external-alertmanager1-remote.com
- external-alertmanager1-remote2.com|
Configurations applied to the |
Save the file to apply the changes to the ConfigMap object.
The new component placement configuration is applied automatically.
Using the external labels feature of Prometheus, you can attach custom labels to all time series and alerts leaving Prometheus.
If you are configuring core OKD monitoring components:
You have access to the cluster as a user with the cluster-admin role.
You have created the cluster-monitoring-config ConfigMap object.
If you are configuring components that monitor user-defined projects:
You have access to the cluster as a user with the cluster-admin role, or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.
You have created the user-workload-monitoring-config ConfigMap object.
You have installed the OpenShift CLI (oc).
Edit the ConfigMap object:
To attach custom labels to all time series and alerts leaving the Prometheus instance that monitors core OKD projects:
Edit the cluster-monitoring-config ConfigMap object in the openshift-monitoring project:
$ oc -n openshift-monitoring edit configmap cluster-monitoring-configDefine a map of labels you want to add for every metric under data/config.yaml:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
prometheusK8s:
externalLabels:
<key>: <value> (1)| 1 | Substitute <key>: <value> with a map of key-value pairs where <key> is a unique name for the new label and <value> is its value. |
|
Do not use |
For example, to add metadata about the region and environment to all time series and alerts, use:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
prometheusK8s:
externalLabels:
region: eu
environment: prodTo attach custom labels to all time series and alerts leaving the Prometheus instance that monitors user-defined projects:
Edit the user-workload-monitoring-config ConfigMap object in the openshift-user-workload-monitoring project:
$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-configDefine a map of labels you want to add for every metric under data/config.yaml:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
prometheus:
externalLabels:
<key>: <value> (1)| 1 | Substitute <key>: <value> with a map of key-value pairs where <key> is a unique name for the new label and <value> is its value. |
|
Do not use |
|
In the |
For example, to add metadata about the region and environment to all time series and alerts related to user-defined projects, use:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
prometheus:
externalLabels:
region: eu
environment: prodSave the file to apply the changes. The new configuration is applied automatically.
|
Configurations applied to the |
|
When changes are saved to a monitoring config map, the pods and other resources in the related project might be redeployed. The running monitoring processes in that project might also be restarted. |
See Preparing to configure the monitoring stack for steps to create monitoring config maps
See Preparing to configure the monitoring stack for steps to create monitoring config maps
You can configure the log level for Prometheus Operator, Prometheus, Thanos Querier, and Thanos Ruler.
The following log levels can be applied to each of those components in the cluster-monitoring-config and user-workload-monitoring-config ConfigMap objects:
debug. Log debug, informational, warning, and error messages.
info. Log informational, warning, and error messages.
warn. Log warning and error messages only.
error. Log error messages only.
The default log level is info.
If you are setting a log level for Prometheus Operator, Prometheus, or Thanos Querier in the openshift-monitoring project:
You have access to the cluster as a user with the cluster-admin role.
You have created the cluster-monitoring-config ConfigMap object.
If you are setting a log level for Prometheus Operator, Prometheus, or Thanos Ruler in the openshift-user-workload-monitoring project:
You have access to the cluster as a user with the cluster-admin role, or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.
You have created the user-workload-monitoring-config ConfigMap object.
You have installed the OpenShift CLI (oc).
Edit the ConfigMap object:
To set a log level for a component in the openshift-monitoring project:
Edit the cluster-monitoring-config ConfigMap object in the openshift-monitoring project:
$ oc -n openshift-monitoring edit configmap cluster-monitoring-configAdd logLevel: <log_level> for a component under data/config.yaml:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
<component>: (1)
logLevel: <log_level> (2)| 1 | The monitoring component that you are applying a log level to. |
| 2 | The log level to apply to the component. |
To set a log level for a component in the openshift-user-workload-monitoring project:
Edit the user-workload-monitoring-config ConfigMap object in the openshift-user-workload-monitoring project:
$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-configAdd logLevel: <log_level> for a component under data/config.yaml:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
<component>: (1)
logLevel: <log_level> (2)| 1 | The monitoring component that you are applying a log level to. |
| 2 | The log level to apply to the component. |
Save the file to apply the changes. The pods for the component restarts automatically when you apply the log-level change.
|
Configurations applied to the |
|
When changes are saved to a monitoring config map, the pods and other resources in the related project might be redeployed. The running monitoring processes in that project might also be restarted. |
Confirm that the log-level has been applied by reviewing the deployment or pod configuration in the related project. The following example checks the log level in the prometheus-operator deployment in the openshift-user-workload-monitoring project:
$ oc -n openshift-user-workload-monitoring get deploy prometheus-operator -o yaml | grep "log-level" - --log-level=debugCheck that the pods for the component are running. The following example lists the status of pods in the openshift-user-workload-monitoring project:
$ oc -n openshift-user-workload-monitoring get pods|
If an unrecognized |
See Preparing to configure the monitoring stack for steps to create monitoring config maps
By default, a read-only Grafana instance is deployed with a collection of dashboards displaying cluster metrics. The Grafana instance is not user-configurable.
You can disable the Grafana deployment, causing the associated resources to be deleted from the cluster. You might do this if you do not need these dashboards and want to conserve resources in your cluster. You will still be able to view metrics and dashboards included in the web console. Grafana can be safely enabled again at any time.
You have access to the cluster as a user with the cluster-admin role.
You have created the cluster-monitoring-config ConfigMap object.
You have installed the OpenShift CLI (oc).
Edit the cluster-monitoring-config ConfigMap object in the openshift-monitoring project:
$ oc -n openshift-monitoring edit configmap cluster-monitoring-configAdd enabled: false for the grafana component under data/config.yaml:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
grafana:
enabled: falseSave the file to apply the changes. The resources will begin to be removed automatically when you apply the change.
|
This change results in some components, including Prometheus and the Thanos Querier, being restarted. This might lead to previously collected metrics being lost if you have not yet followed the steps in the "Configuring persistent storage" section. |
Check that the Grafana pod is no longer running. The following example lists the status of pods in the openshift-monitoring project:
$ oc -n openshift-monitoring get pods|
It may take a few minutes after applying the change for these pods to terminate. |
See Preparing to configure the monitoring stack for steps to create monitoring config maps
A local Alertmanager that routes alerts from Prometheus instances is enabled by default in the openshift-monitoring project of the OKD monitoring stack.
If you do not need the local Alertmanager, you can disable it by configuring the cluster-monitoring-config config map in the openshift-monitoring project.
You have access to the cluster as a user with the cluster-admin role.
You have created the cluster-monitoring-config config map.
You have installed the OpenShift CLI (oc).
Edit the cluster-monitoring-config config map in the openshift-monitoring project:
$ oc -n openshift-monitoring edit configmap cluster-monitoring-configAdd enabled: false for the alertmanagerMain component under data/config.yaml:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
alertmanagerMain:
enabled: falseSave the file to apply the changes. The Alertmanager instance is disabled automatically when you apply the change.
Learn about remote health reporting and, if necessary, opt out of it